CVE-2025-0842
Published: 29 January 2025
Summary
CVE-2025-0842 is a high-severity Injection (CWE-74) vulnerability in Needyamin Library Card System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation of user inputs such as email and password before they are processed in database queries within the admin.php login component.
Requires identification, reporting, and correction of the specific SQL injection flaw in the Library Card System, preventing exploitation once remediated.
Enables vulnerability scanning to identify the SQL injection vulnerability in admin.php, facilitating timely detection and patching of the publicly disclosed exploit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web login component directly enables remote unauthenticated exploitation of the application for admin access bypass.
NVD Description
A vulnerability was found in needyamin Library Card System 1.0 and classified as critical. This issue affects some unknown processing of the file admin.php of the component Login. The manipulation of the argument email/password leads to sql injection. The attack…
more
may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0842 is a critical SQL injection vulnerability (CWE-74, CWE-89) in needyamin Library Card System 1.0. The issue resides in the unknown processing of the admin.php file within the Login component, where manipulation of the email and password arguments triggers the injection.
Attackers can exploit this remotely without authentication or user interaction, requiring only low attack complexity, as reflected in the CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability.
VulDB advisories (vuldb.com/?ctiid.293999, vuldb.com/?id.293999, vuldb.com/?submit.485540) document the vulnerability, and a proof-of-concept demonstrating admin login bypass is available at websecurityinsights.my.id/2025/01/library-card-system-admin-login-bypass.html. The exploit has been publicly disclosed and may be used; no patches are referenced in the provided details.
The vulnerability was published on 2025-01-29, with the exploit already public.
Details
- CWE(s)